[all-commits] [llvm/llvm-project] 4f2fd3: [InstCombine] Fix miscompile on GEP+load to icmp f...
Hyeongyu Kim via All-commits
all-commits at lists.llvm.org
Sun May 30 22:28:21 PDT 2021
Branch: refs/heads/main
Home: https://github.com/llvm/llvm-project
Commit: 4f2fd3818b0eb26806f366bc37369349aeedcaf9
https://github.com/llvm/llvm-project/commit/4f2fd3818b0eb26806f366bc37369349aeedcaf9
Author: Hyeongyu Kim <gusrb406 at snu.ac.kr>
Date: 2021-05-31 (Mon, 31 May 2021)
Changed paths:
M llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
M llvm/test/Transforms/InstCombine/load-cmp.ll
Log Message:
-----------
[InstCombine] Fix miscompile on GEP+load to icmp fold (PR45210)
As noted in PR45210: https://bugs.llvm.org/show_bug.cgi?id=45210
...the bug is triggered as Eli say when sext(idx) * ElementSize overflows.
```
// assume that GV is an array of 4-byte elements
GEP = gep GV, 0, Idx // this is accessing Idx * 4
L = load GEP
ICI = icmp eq L, value
=>
ICI = icmp eq Idx, NewIdx
```
The foldCmpLoadFromIndexedGlobal function simplifies GEP+load operation to icmp.
And there is a problem because Idx * ElementSize can overflow.
Let's assume that the wanted value is at offset 0.
Then, there are actually four possible values for Idx to match offset 0: 0x00..00, 0x40..00, 0x80..00, 0xC0..00.
We should return true for all these values, but currently, the new icmp only returns true for 0x00..00.
This problem can be solved by masking off (trailing zeros of ElementSize) bits from Idx.
```
...
=>
Idx' = and Idx, 0x3F..FF
ICI = icmp eq Idx', NewIdx
```
Reviewed By: efriedma
Differential Revision: https://reviews.llvm.org/D99481
More information about the All-commits
mailing list